Support for Cross Origin Resource Policy on CheckSession

DuendeSoftware / IdentityServer

The most flexible and standards-compliant OpenID Connect and OAuth 2.x framework for ASP.NET Core

https://duendesoftware.com/products/identityserver

Other

1.47k stars 345 forks source link

Support for Cross Origin Resource Policy on CheckSession #1202

Open gmiklich opened 1 year ago

gmiklich commented 1 year ago

Duende IdentityServer 6.2.0

This is just a question, not a bug.

If an app adds a COEP header to require-corp, the check session iframe will be blocked. CORS is already implemented, but is there any thought of adding a CORP header for allowing cross origin requests for certain endpoints (such as the check session one)?

I could also just be thinking about this incorrectly, so feel free to point that out if that's the case.

josephdecock commented 1 year ago

Thanks for the suggestion, we'll consider this in our future planning.

If you need the CORP header today, I imagine you probably could accomplish this with a middleware that would look for requests to the check session endpoint and add the header to the response.

brockallen commented 1 year ago

I guess we'd need to expose this as a new option to allow all 3 heaver values:

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Resource-Policy